Vincent Li <vincent.mc.li@xxxxxxxxx> writes: > On Wed, Dec 14, 2022 at 2:53 PM Toke Høiland-Jørgensen <toke@xxxxxxxxxx> wrote: >> >> Vincent Li <vincent.mc.li@xxxxxxxxx> writes: >> >> > Hi, >> > >> > If I have an user space stack like mTCP works on top of AF_XDP as tcp >> > stateful packet filter to drop tcp packet like tcp syn/rst/ack flood >> > or other tcp attack, and redirect good tcp packet back to linux host >> > stack after mTCP filtering, is that possible? >> >> Not really, no. You can inject it using regular userspace methods (say, >> a TUN device), or using AF_XDP on a veth device. But in both cases the >> packet will come in on a different interface, so it's not really >> transparent. And performance is not great either. >> > I see > >> In general, if you want to filter traffic before passing it on to the >> kernel, the best bet is to implement your filtering in BPF and run it as >> an XDP program. >> > I read about this > https://eric-keller.github.io/papers/2020/HybridNetworkStack_ieee_nfvsdn2020_slides.pdf, > thought that is good idea to run mTCP on top of AF_XDP as anti DDOS > tool Right, that slide deck seems awfully hand-wavy about how they're getting packets back into the kernel, though... I guess you could ask the author how they're doing it? :) -Toke
|